Six steps for securing unstructured data

I have recently noticed a dramatic increase in client inquiries about the security of unstructured data. Information that does not have a predefined data model or fit readily into relational data tables can be problematic. Typically this sort of data is stored in traditional Windows and Unix file systems.

This trend indicates a heightened awareness of both the growth in the volume of unstructured data held by organisations and the security risks this data represents.

Nonetheless, Gartner believes the security of unstructured data remains a seriously under-recognised problem.

Many organisations have terabytes or even petabytes of data in file shares, home directories, departmental folders, project folders or drop-folders that are effectively invisible to the information security organisation.

The result is an extraordinary proliferation of data that is often unnecessary, redundant or inappropriate, and a proliferation of individual users with unnecessary or inappropriate, and therefore dangerous access to that data.

Security professionals should implement six best practices to help protect their organisation against the security risks of unstructured data:

1. Appoint data stewards Develop, implement and communicate a process and policy for the governance and management of unstructured data. One of the key roles within the information governance (IG) programme is the data steward.

Educating data stewards about how to identify data security risks, and aligning them with the information security team, will provide a much-needed communication pathway between the business and the information security organisation.

This pathway, which does not exist in most organisations, provides bidirectional benefit. The business has the ear of the information security organisation and can better communicate its strategies in a common language, while the information security organisation has a pathway to communicate security risks effectively.

2 Create an oversight committee Create an oversight committee to review the potential impacts and risks of unstructured data.

This committee, which is a tactical working group typically composed of security professionals and system administrators, should be an adjunct to the organisation’s established information security governance programme.

Its primary goal is to give its members an opportunity to discuss how unstructured data is being handled, what risks and other impacts it may present, and what measures can be taken to secure it.

3 Classify all data Implement a process for discovering, identifying and classifying or declassifying all data, including unstructured data.

The information security organisation should implement an ongoing crawling mechanism for data discovery. This essentially locates all data stores and looks into them. This process may be enabled by software tools, including data loss prevention (DLP), IG, and directories, including some that the enterprise may already have installed.

4 Understand data patterns Undertake a project to simplify the structure of the organisation’s unstructured data.

Working with data architects, IT operations and business stakeholders to understand data profiles, usage patterns and the process behind the addition and permissioning of unstructured data will greatly simplify the tasks of identifying and securing unstructured data.

The value-add of this communication will allow for better support for business requests and support the ongoing security of unstructured data.

5 Update data access permissions Implement a comprehensive access provisioning and deprovisioning process.

It is crucial that individuals who move from one role to another not only be granted necessary new permissions, but have old permissions removed where appropriate.

This may be a largely manual process, but tools are available that can support it.

For example, if the enterprise has an authoritative directory, it can, and probably should, remove individuals from groups they should not belong to.

There should also be periodic reviews of group structures and group memberships within the directory.

6 Automate data discovery Evaluate tools to help automate data discovery and classification, and to automate workflow around assessing and addressing provisioning problems.

Although tools are not the best or only answer, they can facilitate a baseline from which organisations can locate critical data and evaluate current access structures.

Tools such as content-aware DLP and unstructured data management tools can provide a good starting point.

Recognise that simply using a search tool that finds patterns which may indicate Social Security numbers or credit card numbers is not enough.

Search and discovery needs to be coupled with an analysis of business value and business process to ensure that the right data is identified and protected.

The reality is that most organisations simply do not know how much unstructured data they are storing, what types of data are held in unstructured data stores and file systems, and who has access to that data.

Unstructured data, and the inability to manage or even understand it, presents serious and growing risks for organisations.

These risks include regulatory and legal exposure.

Jeffrey Wheatman is research director at Gartner

Pic: Lance Shieldscc2.0